Statement in response to ICO Enforcement Notice

The Jersey Data Protection Authority (JDPA) has issued the following statement in support of the Information Commissioner’s Office’s (ICO’s) enforcement action against leisure provider Serco Jersey Limited.

In a statement issued today, Jersey Office of the Information Commissioner Operations Director Anne King said: “The Jersey Data Protection Authority (JDPA) works with other data protection regulators across the globe. The Information Commissioner’s Office (ICO) investigated this matter as processing activity took place outside of Jersey.

Serco Jersey Limited acts as a joint controller for the purposes of data protection, with Serco Leisure, a large multinational organisation. The ICO investigated the matter using the territorial scope provision, in Article 3(1) of the UK’s GDPR. The JDPA did not receive any complaints directly from employees in this case.

The ICO and the JDPA take the matter of employee surveillance extremely seriously, as you will recall from a recent Public Statement we issued in late 2023.

The processing of biometric data, which is special category data (i.e. it has a greater risk of prejudice and harm would it be processed inappropriately, placing increased responsibilities on any data controller when considering using it) needs to be very carefully considered in terms of genuine requirements, security, alternative options, data sharing/transfers.

The ICO’s enforcement notice to Serco Jersey Limited states ‘employees are required to provide biometric data that will be processed regularly and systematically as part of their employment. This is a regular intrusion into employees’ privacy, over which they have no, or minimal, control’.

Data Protection Laws redress power imbalance between the individual and the organisations and preserve democracy. The ICO state that in this case, due to the imbalance of power between the organisation and its employees, the relevant data subjects are in a vulnerable position. There is evidence that distress has been caused to data subjects, including the receipt by Serco and the ICO of a complaint relating to the processing.

The JDPA cite that lessons must be learned in that the processing of personal information must be appropriate, fair and proportionate. Especially the use of biometric data and employee surveillance mechanisms.”